D-Link agrees to 10-year security assessment to settle FTC lawsuit

It will have to implement a comprehensive security program under the terms of settlement.

D-Link has settled a two-year-old lawsuit filed by the FTC over its products' insufficient security, and it has agreed to a few conditions to put the issue to bed. To start with, the company is required to implement a comprehensive software security program, which includes testing products for vulnerabilities before they're released, ongoing monitoring of its products to address security flaws, automatic security updates and accepting vulnerability reports from security researchers.

The agency took D-Link to court back in 2017 over the security of its routers and IP cameras. FTC says the company failed to address preventable security flaws, such as storing passwords on its app in plain text and using hard-coded login credentials for its devices with easy-to-guess usernames and passwords. The court dismissed those claims once, because the FTC didn't submit enough proof to substantiate them.

While the agency was clearly able to resurrect the lawsuit, D-Link says that court didn't find it liable for any alleged violation in the end. The court also came to the decision that D-Link didn't engage in any deceptive marketing statements or practices. Plus, the company says that it will merely continue "its current comprehensive software security program" as part of the terms of settlement.

Finally, D-Link is also required to undergo third-party assessments of its software security program for 10 years. The FTC has to approve the third-party assessor D-Link chooses, and it requires specific evidence to ensure its findings are impartial and accurate.